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MEMORANDUM FOR: Director o£ Data Processing 


FROM 

SUBJECT 



Chairman, OS/OC Security Review Committee 
Security Review of SAFE Proposals (U) 


1. (U/AIUO) Attached are the findings of the S ecurity 
Comm^^e^Rev^w for the SAFE proposals submitted by 

It is the recommendation of the Security 
Working Group that the BLACK system bus architecture be 
selected for the SAFE program. 

2. (C) The three key factors which impact the conclusions 
and recommendations for the report are: 

a. The totality of sensitive data on a RED bus, 

b. The budgetary constraints for a labor intensive 
on-going line surveillance program deemed essential for 
a RED bus, 

c. The advancement of the state-of-the-art 
anticipated in the field of microminiature technical 
collection equipment. 

3. (U/AIUO) We, ODP/OC/OS, are entering the next 
generation of information handling within the Agency and within 
the Intelligence Community. It is imperative that crucial 
decisions be made at the entry point to obviate the recognized 
expense of retrofits. , 
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EXECUTIVE SUMMARY 


The Security Review Committee, comprised of Office 
of Security a nd Office of C ommunications representatives, 
have reviewed studies for the SAFE program. 

The multi -discipline background of the members of this 
committee run the gambit of Office of Security officers 
with intimate experience and responsibilities for pro- 
tecting the Agency's Information Systems and Classified 
Information, with expertise in technical countermeasures 
for wireline .protection; and Communications Security 
officers who have the prime responsibility for protecting 
the data flow of Agency information. 

It is the position of this committee that the BLACK 
communications architecture is necessary to protect the 
information currently anticipated to be flowing within 
this system. 

This is based on an appraisal of the threat/risk 
to the information. The classification level of infor- 
mation and its sensitivity mandates the highest level of 
protection. The difficulty of providing a high level of 
security in a RED system, its estimated resource costs 
both financial and human, long and short, further support 
this position. 
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I. INTRODUCTION 


This report provides a security evaluation o£ the 
SAFE RED and BLACK communications architectures provided 
by It contains recommendations for selection 

of a^aoequ^^ly secure architecture. 


A. BACKGROUND 


To fulfill the requirements of SAFE, an 
unprecedented volume of data including Top Secret, 
Sensitive Compartmented Information (SCI) and 
Community proprietary material will be distributed 
via a data communication system to approximately 
^^^^|users. A system which from the start appeared 
ab^^o handle SAFE'S complex communication system 
was the RF Bus Wide Band Commun^^^^i^y^eii^^CS) . 
This system was investigated 

under an ORD Feasibility Study, and has been adopted 
as the design for SAFE, Although the WBCS has^ 
numerous operational advantages, it requires high 
level security protection because all data flows to 
all points on the bus. 

The concept of a communication trade-off study 
was formulated at the time of the SAFE Request For 
Proposal (RFP) to allow flexibility in providing the 
required security protection for the SAFE data. ^Two 
approaches were proposed: RED and BLACK. A plain 
text RED system would rely heavily on physical 
security devices and TEMPEST protection techniques. 

A BLACK system would derive its security from 
encrvption. The contractors were directed to pursue 
the design of both a RED and a BLACK architecture to 
a point where meaningful comparisons could be made 
by the Government and a preferred architecture chosen. 
This point in time has now been reached. 
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B. OBJECTIVES 


The objectives o£ the OS/COMSEC Working Group 
were to evaluate both contractors' proposed systems 
and their security features for security adequacy 
and cost. In order to estimate the degree of 
security required for the SAFE Communications 
System and then determine how well the proposed 
systems met these requirements, it was necessary 
for the Working Group to first assess the threats 
to which the SAFE Communications System would be 
subjected. Next, the communications systems were 
analyzed for vulnerabilities in their designs. 

Costs included not only one-time costs of designing 
and implementing the security features, but also 
the continuing costs and manpower requirements to 
sustain the required security protection. Finally, 
security countermeasures had to be identified to 
correct the weaknesses in an acceptable manner. 
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III. RED/BLACK COMPARISON 


A. PREREQUISITES 


There are certain prerequisites that must be 
considered before addressing the two types ^o£ 
architectures, RED and BLACK. These are minimum 
standards which must be met by any system which 
is installed. 


1. It is a requirement that high grade 
cryptographic key generators be used to 
protect inter-building links. 


2. If a RED system is installed, the 
Security Standards for Classified Plain 
Text Distribution in the Headquarters 
Building and the Security Standards for 
Classified Plain Text Distribution in 
Outside Buildings must be adhered to. 
Also, NACSEM 5100 requirements (TEMPEST) 
must be met for all terminals and the 
cable distribution system. 


3. If a BLACK architecture is implemented 
a high grade cryptographic algorithm must 
be used in the cryptographic module (CM) 
in a cost effective manner. Thisis 
feasible by the omission of certain alarms, 
checks, and security failure analysis. 

The TEMPEST requirements imposed by Chapter 
6 of KAG-30 will be applied to the CM. 
NACSEM 5100 requirements will be applied 
to the BLACK terminals. MIL- STANDARD 461 
requirements will be applied to the cable 
distribution system. 
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B. RATIONALE 


The rationale for the evaluation of the 
proposals was to determine what security protection 
is required for various types of installations and 
then ascertain what approved counterineasures could 
be used to reduce the degree of risk to an 
acceptable level. Only those techniques presently 
employed by the Office of Security were considered 
since no new physical security techniques were 
addressed by either contractor. 

For the RED installation, all BIU's, amplifiers, 
splitters and taps must be locked and alarmed. In 
addition, the terminals must be locked to prevent 
unauthorized access to the system. The possibility 
of constructing special purpose vaults to protect 
the rooms which house terminals vice alarming 
individual terminals was investigated and the cost 
was found to be prohibitive. The idea of placing 
the terminals in safes, as is presently done for 
some cryptographic systems, was also considered and 
found to be too expensive in addition to being 
inconvenient for the operator . We concluded that 
individual alarms were cost effective and included 
only the minimum number of alarms necessary to 
isolate a problem to a reasonably small physical 
area ensuring an acceptable alarm response time. 

This approach provides security protection while 
allowing the SAFE operators to work in a standard 
office environment. 

For the BLACK installation, only the crypto- 
graphic module and terminal must be protected. For 
simplicity of installation it is recommended that 
the* CM be integrated into the terminal or work 
station. The required protection for the CM and 
terminal in a BLACK System is a strengthened 
cabinet and lock. 

For a BLACK System, the Automatic Key 
Distribution Center (AKDC) and the other centralized 
cryptographic functions must be in a privacy area 
within the computer center, which will meet the 
criteria for a Special Purpose Vault. Another require- 
ment on the AKDC is that nobody is allowed in the 
area alone; also referred to as two-man control. 
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IV. COSTS 


A. GENERAL 


For the purpose o£ evaluating the costs 
associated with either a RED or BLACK communications 
architecture one must look not only at the systems 
costs pr'esented by the two contractors, but also^ 
the added costs o£ providing the requisite _ security 
protection £or the system. The £ollowing is an 
analysis o£ the added security hardware costs and 
resource impact £or meeting requisite security 
protection . 


SYSTEMS COST ESTIMATES 


The System architecture is con£igured so 

that the bus runs only as £ar as the electrical 
closets where the BIU and cluster units are 
located. The data is then distributed to each work 
station via individual twisted pair cabling. It 
should be noted that only the data to and £rom an 
individual terminal is available to an intruder on 
each pair o£ twisted wire. The security protection 
required is, thus, similar to that provided today. 

Table 1 enumerates the items that require protection, 
indicates the quantity o£ devices to be protected, _ 
and designates the security measures and the associated 
costs £or both the RED and BLACK systems. Table _ 2 
provides the computation data for the added physical 
and technical security protection required for the 
G.E. RED system. Table 5 provides t^ computation 
data for similarly protecting the BLACK system. 

It should be noted that the quantities used were 
based on information provided by the contractor and 
the experience of the working group. No security 
costs for outside buildings have been included in 
this cost estimate. The unit cost of physical 
technical security protection in outbuildings may be 
higher than that required in the Headquarters 
environment . 
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TABLE 1 

HARDWARE COST OF SECURITY MEASURES FOR I 


25X1 A 

■i SYSTEM 






UNIT 

COST 


ITEM BEING SECURED 

QUANTITY 

SECURITY MEASURE 

RED 

BLACK 

1 . 

Single I/O Device 

SAFE Terminal 

1663 

Cabinet lock and increased strength of 

$ 100 

$100 


Regional Printer 

121 

cabinet 




ADSTAR Terminal 

900 




2. 

BIU or BIU Extenders 

45 

Contact switch alarm in existing elect, 
closet with twisted shielded pair to a 

100 





monitor 



- 



Cabinet Lock 

olo 

0 


3. Workstation Cluster 
Splitter Tap 


Ti Coaxial Bus Amplifiers 
enclosure 


”6^ Coaxial Cable Pullbox 


7. Twisted Pair From 
BIU to I/O Device 


N/A, since BIU's located in closets 


Contact switch alarm in existing elect. 100 

closet with twisted shielded pair to a 
monitor 

Cabinet Lock 20 

T70 


Contact switch alarm in existing elect. 100 

closet with twisted shielded pair to a 
monitor 

Cabinet Lock 20 

TIU 


Contact switch alarm outside existing elect. 1350 
elect closet with a twisted shielded pair 
to a monitor 

Cabinet Lock 20 

T37TT 


N/A twisted pair in floor cells will not 
require additional costs 0 
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SYSTEMS COST ESTIMATE 


The system architecture is configured so 

that the bus runs all the way to the BIU which 
will be located in the work station area. The 
transmission path is coaxial cable. This necessitates 
providing protection for the system wherever the bus 
data is available to an intruder. Table 4 enumerates 
the items that require protection, indicates the 
quantity of devices to be protected, and designates 
the security measures and the associated costs for 
both the RED and BLACK systems. Table 5 provides 
the computation data for the added physica^^a^ 
technical security required to protect the RED 

system. Table 6 provides the computation data for 
similarly protecting the ^^^BLACK system. It should 
be noted that the quantities used were based on 
information provided by the contractor and the exper- 
ience of the working group. No security costs for 
outside buildings have been included in this cost 
estimate. The unit cost of physical and technical 
security protection in outbuildings may be higher 
than that required in the Headquarters environment. 


/^r-Mrtnr 
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TABLE 4 


HARDWARE COST OF SECURITY MEASURES FOR 
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TT 


ITEM BEING SECURED 
I/O Device 


QUANTITY 


SECURITY MEASURE 


UNIT COST 
RED BLACK 


SAFE Terminal 
Regional Printer 
ADSTAR 


1663 

1S8 

900 


Cabinet lock § increased cabinet strength $ 100 


$100 


T7 


Regional Printer + BIU 
SAFE Terminal + BIU 
ADSTAR + BIU 


158 

332 

900 


Contact switch alarm outside existing 
elect, closet w/TSP to a monitor 
Cabinet Lock 


1350 


20 


100 


“ ' 3"; Workstation Cluster + BIU 

60%@4:1RATIO 998/4 = 250 

20I@2:1RATIO 333/2 = 167 


4. Splitter Tap 


Jo 

1500 


Contact switch alarm for each cluster 
series w/TSP to a monitor 
Cabinet Lock 

Contact switch alarm FM ^ ~ 

existing elect, closet w/TSP to a monitor 
Cabinet Lock 

Contact 7wTtch~aTarm“from outsTde existing 
elect, closet w/TSP to a monitor 
Cabinet Lock 


1500 

20 

TSTO 

100 

20 

"TTO 


1350 

20 

TT71T 


0 

100 

100 

0 

0 


0 

0 

0 


5. 

Elect, closet IDF and 
floor cell entry cover 

70 

Contact switch alarm from existing 
elect, closet w/TSP to a monitor 

Cabinet Lock 

100 

20 

120 

0 

0 


Pullbox 

41 

Contact switch alarm for outside 
existing elect, closet w/TSP to a monitor 
Cabinet Lock 

1350 

20 

T37TT 

0 

0 

“7T 

Floor cell covers 

Moo 

Buy new covers to replace presently 
missing covers 

40 

0 
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D. RESOURCE COSTS 


The required resource allocation for a security- 
surveillance program can vary widely depending on the 
level of effort. In order to illustrate the range 
of costs, the resource costs were divided into two 
categories ■ a maximum effort and a minimum effort. 


25X1 A 
25X1 A 


1 . Max imum Effort 

Technical Inspect ion - For a RED environment, 
if the Office of Security inspects every I/O 
device once a year, it is estimated that it would 
take 12 man-years of effort to inspect the SAFE 
system. This is based on an estimated 8 hours to 
inspect an I/O device and its associated wiring. 

It is estimated that for a RED scenario, it will 
take 10 man-years to provide an alarm monitor and 
response program capability. For a BLACK sys-tem, 
it will take 5 man-years to monitor the security 
console. In addition, the present annual 
maintenance costs for alarms and associated 
wiring is $31. 2/alarm pe:^>^ar. It is estimated 
that these costs forthe^^H RED system be 

$6,300 and the the RED system will be $107,600. 

These costs are not reflected on any table. 

TEMPEST Inspection - If the Office of 
Communications TEMPEST- inspects every I/O device 
once a year, it is estimated that it would take 
24 man-years of effort to inspect the SAFE system. 
This is based on a two-man team inspecting one 
I/O device per day and two electrical closets per 
day. 


2 . Minimum Effort 

Technical Insp ection - For a RED environment, 
if the Office of Security checks only the conduit 
runs and maintains alarms it is estimated that 3 
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man-years of effort would be required. It is 
estimated that for a RED scenario it will take 
10 man-years to provide an alarm monitor and 
response program capability. For a BLACK system 
it will take 5 man-years to monitor the security 
console. In addition, the present annual 
maintenance costs for alarms and associated 
wiring is $31. 2/alarm peryear. It is estimated 
that these cos ts fo r the^^l RED system will be 
$6,300 and the RED system will be $107,600. 

These costs are not reflected on any table. 

TEMPEST Inspection - If the Office of 
Communications TEMPEST- inspects the 70 
electrical closets annually and 101 of the I/O 
devices annually, it is estimated that 2 man- 
years of effort would be required. 
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COMSEC SUBSYSTEM DEVELOPMENTAL RISK 


The development schedule provided in the 
architecture document is confirmed as realistic. The 
schedule could be tightened, exposing the system to a 
higher degree of risk, but this does not appear 
necessary or desireable. NSA hopes to begin development 
of the COMSEC Subsystem in early FY-79. This will allow 
NSA to develop a CM which could be common to a variety 
of systems. This has several advantages to the SAFE 
program: lower unit cost, minimum development cost, 

security protection, and interoperability other 

intelligence networks, and a development schedule ^ 
approximately 9 months to 1 year earlier than required. 

The performance risk is considered low. A 
significant risk item is the 9600 bps throughput^ 
required of the CM. However, this risk is minimized by 

the following: 

A. There is a moderate risk in meetingthe 
requirement with current day technology in 
microprocessors . 

B. If the new higher speed microprocessors 
announced by manufacturers meet their claims, 

NSA can meet the requirement with ease. 

C. Alternative cryptologic devices exist which 
can meet the throughput requirement, however, 
their employment would likely adversely effect 
potential interoperability with other systems. 

D. NSA could use any one of a number of existing 
LSI cryptologic chips with microprocessor control 
and easily exceed the system requirements. 

However, the cost for each CM would probably rise 
to about $500 and SAFE would likely lose potential 
interoperability with other systems. 
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The SAFE COMSEC Architecture ^^ana^gous to the 
development program. has been in 

since April 1977 and an operational testbed 
should* be installed in mid-1979. Most of the detailed 
design and network protocols and procedures have already- 
been accomplished. The next year involves software 
coding and equipmen t fabrica tion for the test. The only- 
direct fallout from^^^^^lto SAFE beyond the design 
stage, is the high speed Key Generator Unit (KGU) . The 
remaining design and fabrication of this.KG.U is less 
than one year from completion. Tjhu^^there are no 
remaining "prerequisites" from except the KGU, 
and that will be fabricated and demonstrated prior to a 
SAFE contract award. 

The most significant risk item in the COMSEC Sub- 
system has to do with dts interface to the SAFE System 
components. Changes in the basic SAFE architecture, 
once defined, must be fully coordinated with NSA to 
determine their impact on NSA schedules. 
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VI. FUTURE UTILIZATION OF THE BUS 


Since the analysis of the bus communications system 
indicates that it will only be 40% utilized when SAFE is 
fully operational, the remaining 60% capacity v^rill be 
utilized for other communications requirements. This 
150% growth in the number of I/O devices which can he 
connected to the bus is extremely significant because 
the same physical and technical security, problems that 
exist for the SAFE system will exist for any system that 
utilizes the bus. This stems from the requirement to 
protect the information appearing on the bus. 

If a RED bus system is installed, all the security 
features detailed in the cost section of the report 
must be applied for each new I/O device. 

If a BLACK bus system is installed, a CM and lock 
will be the only security requirements for each I/O 
device . 
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VII. DEFICIENCIES IN CONTRACTOR REPORTS 


As expected, the two contractors made some 
different assumptions in coming up with their RED/BLACK 
presentations. Surprisingly, certain costs were 
excluded in one case and not in the other. Certain 
system sizing numbers were not consistent throughout. 

It was therefore difficult to create a common base of 

comparison .for the. candidate systems, particularly 

because the contractors were vague about itemizing 
security related costs. Although some of the differences 
could be resolved by assumed quantities to which unit 
security costs could be applied, other component counts 
were so imbedded in the contractors' submissions that unit 
costs could not be assigned. To be specific: 

A. excluded the costs of physical security 
devices in their RED presentation. Therefore, 
the RED total cost was unrealistically low. 
Furthermore, it was difficult to track the 
distribution of system components so that 
reasonable physical security unit costs could 
be applied. 

B. Although it was fully understood by the 
Working Group that the RED/BLACK Security 
Evaluation was not supposed to be a contractor 
competi'^^^ contractor design comes into play 
because ^^^has a BIU associated with each 
terminal and the coaxial bus extending to the 
BIU, whereas^^^l has one BIU for many terminals 
and terminates its bus in the electrical 
closets. The Security Working Group recognizes 
that part of the decision of the contractors for 
BIU placement was based on individual interpre- 
tations of what they were or were not permitted 

to do by the Government. If operations or security 
appears to advise a change, either contractor could 

be instructed to switch to the other's approach. 
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Although not a part of the contractors' submissions, 
Combined Project SAFE Office (CSPO) background paper, 
which included a communication system timetable, suggests 
an apparent difficulty for the delivery of the BLACK 
crypto subsystem. NSA confirmed on 23 March 1978 to the 
CSPO there was no difficulty. The original NSA delivery 
timetable was based on the dates previously supplied by 
CSPO. If a new shorter timeframe can truly be achieved 
by the contractors, then NSA can also advance its delivery. 
This can be stated with some confidence. Work on the more 
difficult building blocks of the BLACK COMSEC subsystem is 
already" well underway for other applications, quite inde- 
pendent of SAFE. The SAFE contractors should be directed 
to work out the integration of the subsystem to their 
resp-ective BLACK communications architecture. 

It was noted as a deficiency of the CSPO timetable 
and the contractors' reports that no mention of a testbed 
timetable was made. Although a testbed period would be 
part o£ the System Acquisition Phase (SAP) , the _ lack o£ 
reference to it in the CSPO timetable made it difficult 
to determine the necessary delivery date for a BLACK 
COMSEC Subsystem. The amount of time available to 
resolve any problems anywhere in the communications 
system which would first come to light in a functioning 
system could also not be determined. 

^^Hneglected to provide an integration design 
figure to estimate support for a BLACK subsystem. It is 
understood that they are working up these figures at the 
present time. 

It should be noted, as was stated by the NSA 
consultant in the joint meeting with the CSPO Working 
Group, that the costs of the BLACK COMSEC Subsystem were 
in part, predicated on the need for a 10 Mbs data rate 

f;fequency slot. Subsequent contractor architecture 
changes have resulted in a change from the 10 Mbs rate 
to a 2 Mbs rate. As a result of this change, the costs 
for the COMSEC Front End (CFE) and the Safe Key Generator 
(SKG) should be greatly reduced. 

It should be pointed out that ^^(included costs for 
a conduit in the BLACK Communication System price. This 
is not a security requirement for a BLACK system. The 
total should be adjusted accordingly before comparing any 
total system costs. 
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VIII. CONCLUSION AND RECOMMENDATIONS 


A. INTRODUCTION 


The utilization of a .bus communication system 
introduces a new dimension to the data communication 
security problem. This dimension is the flow of all 
system communications on a single cable throughout 
the bus installation configuration. The potential 
damage to the Agency and National Security from 
penetration of this bus for the information flowing, 
mandates maximum security. 


B. CONCLUSION 


The two fundamental forms of communications 
security RED and BLACK were compared. The following 
conclusions are a result of this comparison: 

1. The BLACK system provides absolute security 
on an end to end basis for each identifiable 
circuit within the busj the RED system 
provides a high degree of physical security 
at the most vulnerable points only. 

2. If Agency management accepts the higher 
security vulnerability of a RED system 
then management must recognize and accept: 

a. The Risk 

b. Added security hardware costs 

c. Increased security revalidation and 
maintenance resource costs 
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3. The security for bus expansion is easily 
achieved in a BLACK system; security 
costs are estimated at 50% lower than for 
a RED system. 

4. A factor not directly associated with the 
SAFE communication system but which is 
worthy of management consideration is the 
potential influeiice on the Intelligence 
Community of a BLACK selection. 


C. RECOMMENDATIONS 


It is the recommendation of the Security 
Working Group that the BLACK system architecture 
be selected. 

It is further recommended that a coordinating 
group be established to maximize the effectiveness 
of the security features which are to be implemented 
in the system. 
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